Yes but having a paid insider gives you a major advantage. You can now seed vulnerabilities, and derive a predictable income stream from these seeded vulnerabilities.
What is more scary to me is that big money is involved here. What if you can't get a developer to be tempted by money to insert vulnerabilities for you, and you start using a more heavy handed approach (death threats etc).
Also by paying developers to insert vulnerabilities, you no longer need experts looking for vulnerabilities. These experts are in short supply, so it might become a more viable path.
This is why I am uncomfortable with vulnerability markets...
First, I thought you were simply talking about insiders who had knowledge of targeted software. Here it seems like you're talking about moles being paid to insert new vulnerabilities.
But even then, I don't find this threat particularly credible. After all, what we're talking about here are W2 employees with social security numbers or immigration tracking committing galactically expensive torts against their employers and in all likelihood most of the Fortune 500, in addition to (in all probability) multiple felonies. How much money do you think Endgame can afford to pay these people to shoulder that risk? There's a reason this doesn't actually happen all the time.
Yes but having a paid insider gives you a major advantage. You can now seed vulnerabilities, and derive a predictable income stream from these seeded vulnerabilities.
What is more scary to me is that big money is involved here. What if you can't get a developer to be tempted by money to insert vulnerabilities for you, and you start using a more heavy handed approach (death threats etc).
Also by paying developers to insert vulnerabilities, you no longer need experts looking for vulnerabilities. These experts are in short supply, so it might become a more viable path.
This is why I am uncomfortable with vulnerability markets...